Running wsl-vpnkit 0.4.1 works fine, but cannot make it run under systemctl

[ripowercat]

I am trying to run wsl-vpnkit as a service using the separate distro method. I can run it directly from PowerShell and as a standalone script and networking and DNS work fine. However when trying to run via systemctl it fails to start correctly. I see the following when running standalone:

/app# wsl-vpnkit

• VPNKIT_GATEWAY_IP=192.168.127.1
• VPNKIT_HOST_IP=192.168.127.254
• VPNKIT_LOCAL_IP=192.168.127.2
• TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
• VMEXEC_PATH=/app/wsl-vm
• GVPROXY_PATH=/app/wsl-gvproxy.exe
• TAP_NAME=wsltap
• CHECK_HOST=example.com
• CHECK_DNS=1.1.1.1
• DEBUG=0
• set +x
• WSL2_TAP_NAME=eth0
• WSL2_GATEWAY_IP=172.22.32.1
• '[' 0 -eq 0 ]
• set +x
  starting vm and gvproxy...
  INFO[0000] waiting for packets...
  time="2023-11-16T09:54:27-06:00" level=info msg="waiting for clients..."
  time="2023-11-16T09:54:27-06:00" level=info msg="new connection from remote to 14348"
  started vm and gvproxy
  check: ✔️ ping success to IPv4 WSL 2 gateway / Windows host (172.22.32.1)
  check: ✔️ ping success to IPv4 Windows host (192.168.127.254)
  check: ✔️ ping success to IPv4 gateway (192.168.127.1)
  check: ✔️ nslookup success for example.com A using 192.168.127.1
  check: ✔️ nslookup success for example.com A using 172.22.32.1
  check: ❌ nslookup fail for example.com A using 1.1.1.1
  check: ✔️ ping success to IPv4 external host domain (example.com)
  check: ✔️ ping success to IPv4 external host IP (1.1.1.1)
  check: ✔️ nslookup success for example.com AAAA using 192.168.127.1
  check: ✔️ nslookup success for example.com AAAA using 172.22.32.1
  check: ❌ nslookup fail for example.com AAAA using 1.1.1.1
  ping: bad address 'example.com'
  check: ➖ ping fail to IPv6 external host (example.com)
  check: ✔️ wget success for http://example.com
  485B4BFD6D7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
  ssl_client: SSL_connect
  wget: error getting response: Connection reset by peer
  check: ❌ wget fail for https://example.com
  W1116 09:54:29.088278 14348 gonet.go:457] ep.GetRemoteAddress() failed: endpoint not connected

When running as a service:

systemctl status wsl-vpnkit
× wsl-vpnkit.service - wsl-vpnkit
Loaded: loaded (/etc/systemd/system/wsl-vpnkit.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-11-16 10:17:09 CST; 6s ago
Process: 905 ExecStart=/mnt/c/Windows/system32/wsl.exe -d wsl-vpnkit --cd /app wsl-vpnkit (code=exited, status=1/FA>
Main PID: 905 (code=exited, status=1/FAILURE)

Nov 16 10:17:09 systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 5.
Nov 16 10:17:09 systemd[1]: Stopped wsl-vpnkit.
Nov 16 10:17:09 systemd[1]: wsl-vpnkit.service: Start request repeated too quickly.
Nov 16 10:17:09 systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 16 10:17:09 systemd[1]: Failed to start wsl-vpnkit.

Running "/mnt/c/Windows/system32/wsl.exe -d wsl-vpnkit --cd /app wsl-vpnkit" from the service info above gives me:

$ /mnt/c/Windows/system32/wsl.exe -d wsl-vpnkit --cd /app wsl-vpnkit

• VPNKIT_GATEWAY_IP=192.168.127.1
• VPNKIT_HOST_IP=192.168.127.254
• VPNKIT_LOCAL_IP=192.168.127.2
• TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
• VMEXEC_PATH=/app/wsl-vm
• GVPROXY_PATH=/app/wsl-gvproxy.exe
• TAP_NAME=wsltap
• CHECK_HOST=example.com
• CHECK_DNS=1.1.1.1
• DEBUG=0
• set +x
• WSL2_TAP_NAME=eth0
• WSL2_GATEWAY_IP=172.22.32.1
• '[' 0 -eq 0 ]
• set +x
  starting vm and gvproxy...
  INFO[0000] waiting for packets...
  time="2023-11-16T10:20:03-06:00" level=info msg="waiting for clients..."
  time="2023-11-16T10:20:03-06:00" level=info msg="new connection from remote to 7364"
  time="2023-11-16T10:20:03-06:00" level=error msg="r.CreateEndpoint() = no route to host"
  time="2023-11-16T10:20:03-06:00" level=error msg="r.CreateEndpoint() = no route to host"
  time="2023-11-16T10:20:03-06:00" level=error msg="r.CreateEndpoint() = no route to host"
  time="2023-11-16T10:20:03-06:00" level=error msg="r.CreateEndpoint() = no route to host"
  started vm and gvproxy
  check: ✔️ ping success to IPv4 WSL 2 gateway / Windows host (172.22.32.1)
  check: ✔️ ping success to IPv4 Windows host (192.168.127.254)
  check: ✔️ ping success to IPv4 gateway (192.168.127.1)
  check: ✔️ nslookup success for example.com A using 192.168.127.1
  check: ✔️ nslookup success for example.com A using 172.22.32.1
  check: ❌ nslookup fail for example.com A using 1.1.1.1
  check: ✔️ ping success to IPv4 external host domain (example.com)
  check: ✔️ ping success to IPv4 external host IP (1.1.1.1)
  check: ✔️ nslookup success for example.com AAAA using 192.168.127.1
  check: ✔️ nslookup success for example.com AAAA using 172.22.32.1
  check: ❌ nslookup fail for example.com AAAA using 1.1.1.1
  ping: bad address 'example.com'
  check: ➖ ping fail to IPv6 external host (example.com)
  check: ✔️ wget success for http://example.com
  489B9D6FBA7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/st
  atem_clnt.c:1889:
  ssl_client: SSL_connect
  wget: error getting response: Connection reset by peer
  check: ❌ wget fail for https://example.com
  W1116 10:20:04.280806 7364 gonet.go:457] ep.GetRemoteAddress() failed: endpoint not connected

Regardless of how I directly run it, networking works and I can resolve stuff. Just starting as a service fails.
I've found that while name resolution works fine using local name servers, I am not allowed to use 1.1.1.1 or 8.8.8.8. I am guessing at this point that the systemctl service is seeing these failures and saying that it can't start. Any help you can provide would be greatly appreciated.

[pahar0]

Seems that WSL versions >= 2.0.0 don't work correctly with this script anymore (systemctl mode).

Some changes have been introduced in the 2.0.0 WSL version related to connectivity and networking, this could be the reason.

Could you try to play with the new experimental-settings introduced and see if any combination / setting fix the systemctl issue?

[blakeduffey]

Seems that WSL versions >= 2.0.0 don't work correctly with this script anymore (systemctl mode).

I feel the change was in 2.0.5
2.0.0-2.0.4 all work with wsl-vpnkit, per my testing

[terlar]

I also experience this same issue. I didn't test all of the versions, but 2.0.0 works. Thanks for checking, I will probably pin to 2.0.4 then for now.

I don't get the same error though.

I get this:

wsl-vpnkit[43207]: /nix/store/kvzzfa5ly1qyw080bhndgr97nf4c4xps-gvproxy-0.7.1/bin/gvproxy-windows.exe is not executable due to WSL interop settings or Windows permissions

But running the script directly from my user with sudo works.

So something with the permissions is different when it runs via systemd since 2.0.5.

[r1m]

Fixed it using #247 (comment)

[dabeck81]

I have created a pull-request to resolve my issue as explained in #247. Please have a look at the pull-request : #250
This does the necessary to set the WSL_INTEROP value correct inline in the wsl-vpnkit script.
No need anymore for having an extra script running before the service is started.

And most of all, it is self-healing, so if you have more than one bash-terminals running and you would close the process linked to the WSL-INTEROP-socket, that will be detected and will switch over to another running socket

[pahar0]

That’s amazing. Im gonna check if the PR works for my issue.

…

I have created a pull-request to resolve my issue as explained in #247 <#247>. Please have a look at the pull-request : #250 <#250> This does the necessary to set the WSL_INTEROP value correct inline in the wsl-vpnkit script. No need anymore for having an extra script running before the service is started. And most of all, it is self-healing, so if you have more than one bash-terminals running and you would close the process linked to the WSL-INTEROP-socket, that will be detected and will switch over to another running socket — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALQBCC4RQ3WK2RZV2BXQKG3YE5XVXAVCNFSM6AAAAAA7ONXOMKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJWGUZDKMZWG4> . You are receiving this because you commented.Message ID: ***@***.***>

[asalaria-cisco]

@dabeck81 the PR doesn't work for me: I tried the following:

I copied the two new files from your PR (wsl-vpnkit and wsl-vpnkit.service) to overwrite those in wsl-vpnkit 0.4.1 already installed on my computer. I then repeated the steps to create the systemd service and verified that the new wsl-vpnkit.service is in place.
I did a wsl --shutdown. I get the following error message:

Here is what I get in journalctl:

$ journalctl -b -u wsl-vpnkit.service
Nov 22 18:08:37 XXXXXX systemd[1]: Started wsl-vpnkit.
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + VPNKIT_GATEWAY_IP=192.168.127.1
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + VPNKIT_HOST_IP=192.168.127.254
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + VPNKIT_LOCAL_IP=192.168.127.2
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + VMEXEC_PATH=/app/wsl-vm
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + TAP_NAME=wsltap
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + CHECK_HOST=example.com
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + CHECK_DNS=1.1.1.1
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + DEBUG=0
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + set +x
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + WSL2_TAP_NAME=eth0
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + WSL2_GATEWAY_IP=172.28.0.1
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + WSL_INTEROP=/run/WSL/7_interop
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + '[' 0 -eq 0 ]
Nov 22 18:08:39 XXXXXX wsl.exe[201]: + set +x
Nov 22 18:08:39 XXXXXX wsl.exe[201]: /app/wsl-gvproxy.exe is not executable due to WSL interop settings or Windows permissions
Nov 22 18:08:39 XXXXXX systemd[1]: wsl-vpnkit.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 18:08:39 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:39 XXXXXX systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 1.
Nov 22 18:08:39 XXXXXX systemd[1]: Stopped wsl-vpnkit.
Nov 22 18:08:39 XXXXXX systemd[1]: Started wsl-vpnkit.
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + VPNKIT_GATEWAY_IP=192.168.127.1
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + VPNKIT_HOST_IP=192.168.127.254
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + VPNKIT_LOCAL_IP=192.168.127.2
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + VMEXEC_PATH=/app/wsl-vm
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + TAP_NAME=wsltap
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + CHECK_HOST=example.com
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + CHECK_DNS=1.1.1.1
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + DEBUG=0
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + set +x
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + WSL2_TAP_NAME=eth0
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + WSL2_GATEWAY_IP=172.28.0.1
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + WSL_INTEROP=/run/WSL/27_interop
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + '[' 0 -eq 0 ]
Nov 22 18:08:39 XXXXXX wsl.exe[450]: + set +x
Nov 22 18:08:39 XXXXXX wsl.exe[450]: /app/wsl-gvproxy.exe is not executable due to WSL interop settings or Windows permissions
Nov 22 18:08:39 XXXXXX systemd[1]: wsl-vpnkit.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 18:08:39 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:40 XXXXXX systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 2.
Nov 22 18:08:40 XXXXXX systemd[1]: Stopped wsl-vpnkit.
Nov 22 18:08:40 XXXXXX systemd[1]: Started wsl-vpnkit.
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + VPNKIT_GATEWAY_IP=192.168.127.1
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + VPNKIT_HOST_IP=192.168.127.254
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + VPNKIT_LOCAL_IP=192.168.127.2
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + VMEXEC_PATH=/app/wsl-vm
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + TAP_NAME=wsltap
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + CHECK_HOST=example.com
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + CHECK_DNS=1.1.1.1
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + DEBUG=0
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + set +x
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + WSL2_TAP_NAME=eth0
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + WSL2_GATEWAY_IP=172.28.0.1
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + WSL_INTEROP=/run/WSL/46_interop
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + '[' 0 -eq 0 ]
Nov 22 18:08:40 XXXXXX wsl.exe[451]: + set +x
Nov 22 18:08:40 XXXXXX wsl.exe[451]: /app/wsl-gvproxy.exe is not executable due to WSL interop settings or Windows permissions
Nov 22 18:08:40 XXXXXX systemd[1]: wsl-vpnkit.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 18:08:40 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:40 XXXXXX systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 3.
Nov 22 18:08:40 XXXXXX systemd[1]: Stopped wsl-vpnkit.
Nov 22 18:08:40 XXXXXX systemd[1]: Started wsl-vpnkit.
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + VPNKIT_GATEWAY_IP=192.168.127.1
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + VPNKIT_HOST_IP=192.168.127.254
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + VPNKIT_LOCAL_IP=192.168.127.2
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + VMEXEC_PATH=/app/wsl-vm
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + TAP_NAME=wsltap
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + CHECK_HOST=example.com
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + CHECK_DNS=1.1.1.1
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + DEBUG=0
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + set +x
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + WSL2_TAP_NAME=eth0
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + WSL2_GATEWAY_IP=172.28.0.1
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + WSL_INTEROP=/run/WSL/65_interop
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + '[' 0 -eq 0 ]
Nov 22 18:08:40 XXXXXX wsl.exe[452]: + set +x
Nov 22 18:08:41 XXXXXX wsl.exe[452]: /app/wsl-gvproxy.exe is not executable due to WSL interop settings or Windows permissions
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 4.
Nov 22 18:08:41 XXXXXX systemd[1]: Stopped wsl-vpnkit.
Nov 22 18:08:41 XXXXXX systemd[1]: Started wsl-vpnkit.
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + VPNKIT_GATEWAY_IP=192.168.127.1
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + VPNKIT_HOST_IP=192.168.127.254
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + VPNKIT_LOCAL_IP=192.168.127.2
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + VMEXEC_PATH=/app/wsl-vm
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + TAP_NAME=wsltap
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + CHECK_HOST=example.com
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + CHECK_DNS=1.1.1.1
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + DEBUG=0
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + set +x
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + WSL2_TAP_NAME=eth0
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + WSL2_GATEWAY_IP=172.28.0.1
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + WSL_INTEROP=/run/WSL/84_interop
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + '[' 0 -eq 0 ]
Nov 22 18:08:41 XXXXXX wsl.exe[455]: + set +x
Nov 22 18:08:41 XXXXXX wsl.exe[455]: /app/wsl-gvproxy.exe is not executable due to WSL interop settings or Windows permissions
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Main process exited, code=exited, status=1/FAILURE
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Scheduled restart job, restart counter is at 5.
Nov 22 18:08:41 XXXXXX systemd[1]: Stopped wsl-vpnkit.
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Start request repeated too quickly.
Nov 22 18:08:41 XXXXXX systemd[1]: wsl-vpnkit.service: Failed with result 'exit-code'.
Nov 22 18:08:41 XXXXXX systemd[1]: Failed to start wsl-vpnkit.

[OrpheeGT]

https://learn.microsoft.com/en-us/windows/wsl/wsl-config#interop-settings

add inside "/etc/wsl.conf" :

[interop]
enable = true

[blakeduffey]

https://learn.microsoft.com/en-us/windows/wsl/wsl-config#interop-settings

add inside "/etc/wsl.conf" :

[interop]
enable = true

I'm still seeing this error on 2.0.14

As an aside - per the release notes 'Disable the 'NoRemoteImages' process mitigation policy since it breaks execution of windows executables' was supposed to resolve the recent issue with wsl-vpnkit - but I'm still having breaking issues.

[blakeduffey]

I'm wondering if my issue is related to a third variable. When I removed it, wsl 2.0.14 and wsl-vpnkit .0.4.1 immediately started working.

[xgalaxy]

The interop enable trick shouldn't be needed since its by default true.

[OrpheeGT]

Maybe... My issue since I applied the patch is, as I installed the wsl-vpn-kit in my systemd ubuntu WSL, each time I open a new tab (with Hyper.is) the new tab seems to relaunch the service and breaks any current other tab connected with SSH...

I maybe will have to switch to a dedicated vpn-kit distrib...

[asalaria-cisco]

Just wanted to report that since I have added the following to my .wslconfig file, all my network issues (with and without connecting to VPN) have been solved. I have removed wsl-vpnkit since it was not needed anymore.

[wsl2]
networkingMode=mirrored